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Abstract 

This recommendation defines five confidentiality modes of operation for use with an underlying 
symmetric key block cipher algorithm: Electronic Codebook (ECB), Cipher Block Chaining 
(CBC), Cipher Feedback (CFB), Output Feedback (OFB), and Counter (CTR). Used with an 
underlying block cipher algorithm that is approved in a Federal Information Processing Standard 
(FTPS), these modes can provide cryptographic protection for sensitive, but unclassified, 
computer data. 

KEY WORDS: Computer security; cryptography; data security; block cipher; encryption; 
Federal Information Processing Standard; mode of operation. 



v 



Table of Contents 

1 PURPOSE 1 

2 AUTHORITY 1 

3 INTRODUCTION 1 

4 DEFINITIONS, ABBREVIATIONS, AND SYMBOLS 3 

4. 1 Definitions and Abbreviations 3 

4.2 Symbols 5 

4.2.1 Variables 5 

4.2.2 Operations and Functions 5 

5 PRELIMINARIES 7 

5. 1 Underlying Block Cipher Algorithm 7 

5.2 Representation of the Plaintext and the Ciphertext 7 

5.3 Initialization Vectors 8 

5.4 Examples of Operations and Functions 8 

6 BLOCK CIPHER MODES OF OPERATION 9 

6. 1 The Electronic Codebook Mode 9 

6.2 The Cipher Block Chaining Mode 10 

6.3 The Cipher Feedback Mode 11 

6.4 The Output Feedback Mode 13 

6.5 The Counter Mode 15 

APPENDIX A: PADDING 17 

APPENDIX B: GENERATION OF COUNTER BLOCKS 18 

B. 1 The Standard Incrementing Function 18 

B.2 Choosing Initial Counter Blocks 19 

APPENDIX C: GENERATION OF INITIALIZATION VECTORS 20 

APPENDIX D: ERROR PROPERTIES 21 

APPENDIX E: MODES OF TRIPLE DES 23 

APPENDIX F: EXAMPLE VECTORS FOR MODES OF OPERATION OF THE AES 24 

F. 1 ECB Example Vectors .' 24 

F.1.1 ECB-AES128.Encrypt 24 

F.L2 ECB-AES128.Decrypt 24 

F.1.3 ECB-AES192.Encrypt 25 

F.1.4 ECB-AES192.Decrypt 25 

F. 7.5 ECB-AES256.Encrypt 26 

F.I.6 ECB-AES256.Decrypt 26 

F.2 CBC Example Vectors 27 

F.2. J CBC-AES128.Encrypt 27 

F.2.2 CBC-AESm.Decrypt 27 

F.2.3 CBC-AES192.Encrypt 28 

F.2.4 CBC-AES192.Decrypt 28 



vi 



F.2.5 CBC-AES256.Encrypt 28 

F.2.6 CBC-AES256.Decrypt 29 

F.3 CFB Example Vectors 29 

F.3 A CFBl-AES128.Encrypt 29 

F.3.2 CFBl-AES128.Decrypt 31 

F.3.3 CFBl-AES192.Encrypt 33 

F.3 A CFB]-AES192.Decrypt 34 

F.3.5 CFB 1-AES256. Encrypt 36 

F.3.6 CFBl-AES256.Decrypt 37 

F.3. 7 CFB8-AES 128. Encrypt 39 

F.3.8 CFB8-AES128.Decrypt 41 

F.3.9 CFB8-AES192.Encrypt 42 

F.3. 10 CFB8-AES192.Decrypt 44 

F.3.1 1 CFB8-AES256.Encrypt 46 

F.3. 12 CFB8-AES256.Decrypt 48 

F.3. 13 CFB128-AES128.Encrypt 50 

F.3. 14 CFB128-AES128.Decrypt 50 

F.3. 15 CFB128-AES192.Encrypt 50 

F.3. 16 CFB128-AES192.Decrypt 57 

F.3. 1 7 CFB128-AES256.Encrypt 51 

F.3. 18 CFB128-AES256.Decrypt 52 

F.4 OFB Example Vectors 52 

F.4.1 OFB-AES128.Encrypt 52 

F.4.2 OFB'AES128.Decrypt 53 

FA.3 OFB-AES192.Encrypt 53 

FA.4 OFB-AES192.Decrypt 54 

FA.5 OFB-AES256.Encrypt 54 

FA.6 OFB-AES256.Decrypt 55 

F.5 CTR EXAMPLE VECTORS 55 

F.5. 1 CTR-AES128.Encrypt 55 

F.5.2 CTR-AES128.Decrypt 56 

F.5.3 CTR-AES192.Encrypt 56 

F.5 A CTR-AES192.Decrypt 57 

F.5.5 CTR-AES256.Encrypt 57 

F.5.6 CTR-AES256.Decrypt 57 

APPENDIX G: REFERENCES 59 



Table of Figures 

Figure 1: The ECB Mode 9 

Figure 2: The CBC Mode 10 

Figure 3: The CFB Mode 12 

Figure 4: The OFB Mode 14 

Figure 5: The CTR Mode 16 



vii 



6 Block Cipher Modes of Operation 

The mathematical specifications of the five modes are given in Sections 6.1-6.5, along with 
descriptions, illustrations, and comments on the potential for parallel processing. 

6. 1 The Electronic Codebook Mode 

The Electronic Codebook (ECB) mode is a confidentiality mode that features, for a given key, 
the assignment of a fixed ciphertext block to each plaintext block, analogous to the assignment of 
code words in a codebook. The Electronic Codebook (ECB) mode is defined as follows: 



ECB Encryption: 
ECB Decryption: 



Cj^CIPH^Pj) 
P J =C1PH' , £C J ) 



for j = 1 . . . n. 
for y= 1 ... n. 



In ECB encryption, the forward cipher function is applied directly and independently to each 
block of the plaintext. The resulting sequence of output blocks is the ciphertext. 

In ECB decryption, the inverse cipher function is applied directly and independently to each 
block of the ciphertext. The resulting sequence of output blocks is the plaintext. 
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Figure l:The ECB Mode 



In ECB encryption and ECB decryption, multiple forward cipher functions and inverse cipher 
functions can be computed in parallel. 



In the ECB mode, under a given key, any given plaintext block always gets encrypted to the 



9 



same ciphertext block. If this property is undesirable in a particular application, the ECB mode 
should not be used. 

The ECB mode is illustrated in Figure 1. 
6.2 The Cipher Block Chaining Mode 

The Cipher Block Chaining (CBC) mode is a confidentiality mode whose encryption process 
features the combining ("chaining") of the plaintext blocks with the previous ciphertext blocks. 
The CBC mode requires an IV to combine with the first plaintext block. The IV need not be 
secret, but it must be unpredictable; the generation of such IVs is discussed in Appendix C. 
Also, the integrity of the IV should be protected, as discussed in Appendix D. The CBC mode is 
defined as follows: 

CBC Encryption: C,= C1PH K (P,®1V)\ 

q = CIPH^Pj 0 C jA ) for; = 2 ... n. 

CBC Decryption: P x = CIPH'^C,) ® IV; 

Pj = CIPH'^Q 0 Cjl, for; = 2 . . . n. 
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Figure 2: The CBC Mode 



In CBC encryption, the first input block is formed by exclusive-ORing the first block of the 
plaintext with the IV. The forward cipher function is applied to the first input block, and the 
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resulting output block is the first block of the ciphertext. This output block is also exclusive- 
ORed with the second plaintext data block to produce the second input block, and the forward 
cipher function is applied to produce the second output block. This output block, which is the 
second ciphertext block, is exclusive-ORed with the next plaintext block to form the next input 
block. Each successive plaintext block is exclusive-ORed with the previous output/ciphertext 
block to produce the new input block. The forward cipher function is applied to each input block 
to produce the ciphertext block. 

In CBC decryption, the inverse cipher function is applied to the first ciphertext block, and the 
resulting output block is exclusive-ORed with the initialization vector to recover the first 
plaintext block. The inverse cipher function is also applied to the second ciphertext block, and 
the resulting output block is exclusive-ORed with the first ciphertext block to recover the second 
plaintext block. In general, to recover any plaintext block (except the first), the inverse cipher 
function is applied to the corresponding ciphertext block, and the resulting block is exclusive- 
ORed with the previous ciphertext block. 

In CBC encryption, the input block to each forward cipher operation (except the first) depends on 
the result of the previous forward cipher operation, so the forward cipher operations cannot be 
performed in parallel. In CBC decryption, however, the input blocks for the inverse cipher 
function, i.e., the ciphertext blocks, are immediately available, so that multiple inverse cipher 
operations can be performed in parallel. 

The CBC mode is illustrated in Figure 2. 
6.3 The Cipher Feedback Mode 

The Cipher Feedback (CFB) mode is a confidentiality mode that features the feedback of 
successive ciphertext segments into the input blocks of the forward cipher to generate output 
blocks that are exclusive-ORed with the plaintext to produce the ciphertext, and vice versa. The 
CFB mode requires an IV as the initial input block. The IV need not be secret, but it must be 
unpredictable; the generation of such IVs is discussed in Appendix C. 

The CFB mode also requires an integer parameter, denoted s, such that 1 < s < b. In the 
specification of the CFB mode below, each plaintext segment (?) and ciphertext segment ((f) 
consists of s bits. The value of s is sometimes incorporated into the name of the mode, e.g., the 
1-bit CFB mode, the 8-bit CFB mode, the 64-bit CFB mode, or the 128-bit CFB mode. 



The CFB mode is defined as follows: 



CFB Encryption: 



CFB Decryption: 



/, = IV; 

l = LSB b M i J\(f i , 

O^CJPH^l) 

C j =? j ®MSB 5 (0) 

h = IV; 

Ij = LSB b Mj, )\Cf H 



for; = 2 ... n; 
for;=l,2...n; 
for j = 1, 2 ... n. 



for; -2 ... n; 



11 



0. = CIPH£lj) for; = 1,2 ...w; 

Fj= (fj 0 forj = 1, 2 ... w. 

In CFB encryption, the first input block is the IV, and the forward cipher operation is applied to 
the IV to produce the first output block. The first ciphertext segment is produced by exclusive- 
ORing the first plaintext segment with the s most significant bits of the first output block. (The 
remaining b-s bits of the first output block are discarded.) The b-s least significant bits of the IV 
are then concatenated with the s bits of the first ciphertext segment to form the second input 
block. An alternative description of the formation of the second input block is that the bits of 
the first input block circularly shift s positions to the left, and then the ciphertext segment 
replaces the s least significant bits of the result. 

The process is repeated with the successive input blocks until a ciphertext segment is produced 
from every plaintext segment. In general, each successive input block is enciphered to produce 
an output block. The s most significant bits of each output block are exclusive-ORed with the 
corresponding plaintext segment to form a ciphertext segment. Each ciphertext segment (except 
the last one) is "fed back" into the previous input block, as described above, to form a new input 
block. The feedback can be described in terms of the individual bits in the strings as follows: if 
i,i 2 ...i b is the jth input block, and CjC 2 ...c s is the jth ciphertext segment, then the 0+1)* i n P ut block 

isLiLr-h C,C 2 ...C S . 
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Figure 3: The CFB Mode 

In CFB decryption, the IV is the first input block, and each successive input block is formed as in 
CFB encryption, by concatenating the b-s least significant bits of the previous input block with 
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the s most significant bits of the previous ciphertext. The forward cipher function is applied to 
each input block to produce the output blocks. The s most significant bits of the output blocks 
are exclusive-ORed with the corresponding ciphertext segments to recover the plaintext 
segments. 

In CFB encryption, like CBC encryption, the input block to each forward cipher function (except 
the first) depends on the result of the previous forward cipher function; therefore, multiple 
forward cipher operations cannot be performed in parallel. In CFB decryption, the required 
forward cipher operations can be performed in parallel if the input blocks are first constructed (in 
series) from the IV and the ciphertext. 



The CFB mode is illustrated in Figure 3. 
6.4 The Output Feedback Mode 



The Output Feedback (OFB) mode is a confidentiality mode that features the iteration of the 
forward cipher on an IV to generate a sequence of output blocks that are exclusive-ORed with 
the plaintext to produce the ciphertext, and vice versa. The OFB mode requires that the IV is a 
nonce, i.e., the IV must be unique for each execution of the mode under the given key; the 
generation of such IVs is discussed in Appendix C. The OFB mode is defined as follows: 



OFB Encryption: 



/, = /V; 

h = o H 

O^ClPHtfj) 
C> P\®MSB u (O n ). 



for; = 2 ... n; 
for; = 1, 2 ... n\ 
forj= 1,2. ..n-1; 



OFB Decryption: 



/; = IV; 

h = o H 

0 J = CIPHM) 

P n = C n ®MSB u (0„). 



for/ = 2 ... n\ 
for; = 1, 2 ... n\ 
for7 = l,2...n-7; 



In OFB encryption, the IV is transformed by the forward cipher function to produce the first 
output block. The first output block is exclusive-ORed with the first plaintext block to produce 
the first ciphertext block. The forward cipher function is then invoked on the first output block 
to produce the second output block. The second output block is exclusive-ORed with the second 
plaintext block to produce the second ciphertext block, and the forward cipher function is 
invoked on the second output block to produce the third output block. Thus, the successive 
output blocks are produced from applying the forward cipher function to the previous output 
blocks, and the output blocks are exclusive-ORed with the corresponding plaintext blocks to 
produce the ciphertext blocks. For the last block, which may be a partial block of u bits, the 
most significant u bits of the last output block are used for the exclusive-OR operation; the 
remaining b-u bits of the last output block are discarded. 

In OFB decryption, the IV is transformed by the forward cipher function to produce the first 
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output block. The first output block is exclusive-ORed with the first ciphertext block to recover 
the first plaintext block. The first output block is then transformed by the forward cipher 
function to produce the second output block. The second output block is exclusive-ORed with 
the second ciphertext block to produce the second plaintext block, and the second output block is 
also transformed by the forward cipher function to produce the third output block. Thus, the 
successive output blocks are produced from applying the forward cipher function to the previous 
output blocks, and the output blocks are exclusive-ORed with the corresponding ciphertext 
blocks to recover the plaintext blocks. For the last block, which may be a partial block of u bits, 
the most significant u bits of the last output block are used for the exclusive-OR operation; the 
remaining b-u bits of the last output block are discarded. 
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Figure 4: The OFB Mode 



In both OFB encryption and OFB decryption, each forward cipher function (except the first) 
depends on the results of the previous forward cipher function; therefore, multiple forward cipher 
functions cannot be performed in parallel. However, if the IV is known, the output blocks can be 
generated prior to the availability of the plaintext or ciphertext data. 

The OFB mode requires a unique IV for every message that is ever encrypted under the given 
key. If, contrary to this requirement, the same IV is used for the encryption of more than one 
message, then the confidentiality of those messages may be compromised. In particular, if a 
plaintext block of any of these messages is known, say, the jth plaintext block, then the;th output 
of the forward cipher function can be determined easily from the ;th ciphertext block of the 
message. This information allows the ;th plaintext block of any other message that is encrypted 
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using the same IV to be easily recovered from the jih ciphertext block of that message. 

Confidentiality may similarly be compromised if any of the input blocks to the forward cipher 
function for the encryption of a message is designated as the IV for the encryption of another 
message under the given key. 

The OFB mode is illustrated in Figure 4. 

6.5 The Counter Mode 

The Counter (CTR) mode is a confidentiality mode that features the application of the forward 
cipher to a set of input blocks, called counters, to produce a sequence of output blocks that are 
exclusive-ORed with the plaintext to produce the ciphertext, and vice versa. The sequence of 
counters must have the property that each block in the sequence is different from every other 
block. This condition is not restricted to a single message: across all of the messages that are 
encrypted under the given key, all of the counters must be distinct. In this recommendation, the 
counters for a given message are denoted T v T v ... , T n . Methods for generating counters are 
discussed in Appendix B. Given a sequence of counters, T y , T 2 , ... , T„, the CTR mode is 
defined as follows: 

CTR Encryption: O, = C1PHJT) for j = 1, 2 . . . n; 

Cj=Pj®Oj for;= 1,2 ... n-1; 

C\ = P\®MSB u (O n ). 

CTR Decryption: 0, = C1PH K {T) for j = 1 , 2 . . . n\ 

Pj=Cj®Oj for;=l,2...n-7; 
P\ = C\®MSB u (O n ). 

In CTR encryption, the forward cipher function is invoked on each counter block, and the 
resulting output blocks are exclusive-ORed with the corresponding plaintext blocks to produce 
the ciphertext blocks. For the last block, which may be a partial block of u bits, the most 
significant u bits of the last output block are used for the exclusive-OR operation; the remaining 
b-u bits of the last output block are discarded. 

In CTR decryption, the forward cipher function is invoked on each counter block, and the 
resulting output blocks are exclusive-ORed with the corresponding ciphertext blocks to recover 
the plaintext blocks. For the last block, which may be a partial block of u bits, the most 
significant u bits of the last output block are used for the exclusive-OR operation; the remaining 
b-u bits of the last output block are discarded. 

In both CTR encryption and CTR decryption, the forward cipher functions can be performed in 
parallel; similarly, the plaintext block that corresponds to any particular ciphertext block can be 
recovered independently from the other plaintext blocks if the corresponding counter block can 
be determined. Moreover, the forward cipher functions can be applied to the counters prior to the 
availability of the plaintext or ciphertext data. 
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Figure 5: The CTR Mode 



The CTR mode is illustrated in Figure 5. 
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